FRISK Software International

7.1 How to interface with the Daemon Scanner

This section describes best practices for 3rd party applications to interface with the F-PROT Daemon Scanner to scan for viruses.

Daemon Scanner is the F-PROT Antivirus Daemon Program. For general usage information and help, please read the section on F-PROT Antivirus Daemon Scanner in this Helpfile as well as the man page (f-protd).

Note that although Daemon Scanner can scan MIME-encoded files, its MIME support is minimal and client applications should, if at all possible, decode e-mail attachments using robust MIME parsers before handing those attachments to the Daemon Scanner for scanning. F-PROT Antivirus for Mail Servers uses Daemon Scanner called scan-mail.pl for this purpose.

How it works

Daemon Scanner, by default, listens on port 10200 on the loopback address, 127.0.0.1. This can be changed either via the -a or --address startup arguments to the F-PROT Antivirus Daemon program, or by setting a different address:port in the FPROT_DAEMON_ADDRESS variable in the config file /etc/f-prot.conf.

Every 30 seconds and after each scan request, the Daemon Scanner will check if any of the virus signature files or the Daemon Scanner binary itself have changed since startup. If so, Daemon Scanner will fork a new process which will try to reload itself with new virus signature files. The old process will continue to run and service scan request for a fixed period of time. After that period has elapsed the old process will check if the new one has loaded successfully and if it is ready to service scan requests. If so the old process will exit.

The new process, once started, will search for a free port to listen on starting with the base port (10200 by default) and checking each of the next 4 ports (10201, 10202, 10203, 10204) using the first available port to listen on. If it can not find a free port or if for some reason loading fails, the process will exit and the older process will simply carry on, retrying the whole process a few seconds later. The Daemon Scanner is set to retry this updating process at least 30 times before giving up.

For client applications, this means that

o There should always be at least one process ready to scan for viruses at any time.

o Client applications must search for a listening port before making a scan request.

How to search with the Daemon Scanner.

If the client application that is connecting to the Daemon Scanner does so over the loopback interface and is properly coded, the performance penalty for searching multiple ports is trivial. Consider the following C code:

// Illustrating how to connect to f-protd 

#include<sys/types.h>   
#include<sys/socket.h>
#include<netinet/in.h>
#include<stdio.h>

// dummy main program.
int main(int argc, char** argv)
{
        struct sockaddr_in addr;
        memset(&addr, 0, sizeof(addr));
        addr.sin_family = AF_INET;
        addr.sin_addr.s_addr = htonl(INADDR_LOOPBACK);
        int sd = connect_to_fprotd(&addr, 10200);
	if( -1 == sd )
	{
		fprintf(stderr, "\nError connecting to daemon. Service not available.\n");
		return(-1);
	}
	// Next we'd send request to daemon, skipping that part for brevity
	//...
	close(sd);
	return 0;
}
// returns a valid socket descriptor connected to f-protd if successful // returns -1 on failure.
int connect_to_fprotd(struct sockaddr_in *server_address, int base_port) {
	int socket_descriptor;
	int i;

	socket_descriptor = socket(AF_INET, SOCK_STREAM, 0);
	if( -1 == socket_descriptor )
	{
		fprintf(stderr, "Error in socket(): %m");
		return(-1);
	}
	for( i = 0; i < 5; i++ )
	{
		server_address->sin_port = htons(base_port+i);
		if( 0 == connect(socket_descriptor, (struct sockaddr*) server_address, 
sizeof(struct sockaddr)))
			break;
	}
	if( 5 == i) // all connection attempts failed
		return -1;
	
	return socket_descriptor;
}

You do not need to re-create the socket between failed connect(), and the sockaddr_in structure only needs to be initialized once, except for the port number. What remains is one library call (htons) and one system call (connect) per try. Calling connect() on the loopback interface is cheap since no actual network traffic is required to check if that port will accept connections.

In practice, Daemon Scanner will almost always alternate between the base port and the next port number after it, but since there are 4 files to consider during updates (three virus signature files, and the executable itself) and each of those may be updated with intervals that would cause f-protd to start the reloading process for each file, we need 4 extra ports to guarantee that a scanner is always available.

If this behaviour is undesirable to you and you find that Daemon Scanner has settled on a high port after an update, e.g. 10204, you can touch one of the files after a few seconds when the update is complete to force Daemon Scanner to reload once more, this time grabbing back the lowest port number.

Communicating with the Daemon Scanner

Daemon Scanner implements a subset of the HTTP/1.0 and HTTP/1.1 protocols.

In its basic form, a client application connects to whatever port Daemon Scanner listens on and sends a 'GET' request with a path to a file to scan, followed by a optional URL encoded scanning options followed by the protocol specifier.

Example:

telnet localhost 10200
GET /etc/services?-dumb%20-disinf HTTP/1.0 
.. 
2 blank lines follow 
..

Daemon Scanner's XML report and its DTD is then sent back and Daemon Scanner then closes the connection.

If a client application has several files to scan, it makes sense to reuse the connection. For that purpose set the protocol specifier to HTTP/1.1

Example:

telnet localhost 10200
GET /etc/services?-dumb%20-disinf HTTP/1.1
Host: localhost
.. blank line ..
.. xml response sent back ..
GET /etc/termcap?-dumb%20-disinf HTTP/1.1
Host: localhost
.. blank line ..
.. xml response sent back ..

The 'Host:' line is mandated by the HTTP/1.1 standard but Daemon Scanner does not care about it. It checks the protocol specifier to determine if it should close the connection after scanning. Daemon Scanner treats every line after the GET request as a header line, until a blank line is read which indicates the end of the headers. The only header line Daemon Scanner looks for is the 'Connection: close' header which instructs Daemon Scanner to close the connection after completing the current request.

Note: FRISK Software offers a virus scan library and software development kits to licensed 3rd party software developers that need virus scanning capabilities.

< Previous | Back to Index
 
F-PROT Antivirus
- for Windows
- for UNIX
- for Exchange
F-PROT AVES
F-PROT Antivirus
- for Windows
- for UNIX
- for Exchange
F-PROT AVES
Stay up to date with important developments via e-mail.
Stay up to date with life cycle policies for F-PROT Antivirus for Windows.
Definitions of common antivirus terminology.